Using FreeRadius to coordinate access to cisco routers based on time

Frank Cui ycui at
Thu May 22 22:17:18 CEST 2014

Hi Radius People,
I'm a new user on FreeRadius and recently considering using FreeRadius version 2 in our environment. 
Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the pod in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .) 

+++++++++++++++                                           +++++++++++++++                                      ++++++++++++++         User            +++++++++++++++++++++    Cisco 2600     +++++++++++++++++++   Network      ++                             +                                            +  Terminal Serv +                                       +    Devices       ++++++++++++++++                                           +++++++++++++++                                      +++++++++++++                                                                                        (NAS)                                                                                            +                                                                                            +                                                                               +++++++++++++++                                                                                   +   FreeRadius      +                                                                              +++++++++++++++

Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
users=============cisco Auth-Type := System  Service-Type = NAS-Prompt-User,  cisco-avpair = "shell:priv-lvl=15"
clients.conf==============client {  secret = SECRET_KEY  shortname = termserver  nastype = cisco}
A typical transaction would be :
Access-Request=======        NAS-IP-Address =        NAS-Port = 35        NAS-Port-Type = Async        User-Name = "cisco"        Calling-Station-Id = ""        User-Password = "cisco"
Access-Accept=======        Service-Type = NAS-Prompt-User        Cisco-AVPair = "shell:priv-lvl=15"
However, this doesn't really provide any timing or grouping policy. Could you please provide some hints on how typically the timing limits are enforced with the freeradius and cisco terminal server?
Thanks a lot in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list